Do not open a public issue for suspected vulnerabilities.

Use GitHub Security Advisories for the affected repository when private vulnerability reporting is enabled. If the report is documentation-specific, include the page, commit, exposed information, and suggested remediation.

For report contents, public issue boundaries, and sanitization guidance, read the docs FAQ: docs/devops/security-policy-faq.md.

The organization still needs a final public security contact. Until then, private GitHub advisories are the preferred intake path. If private reporting is not available for the affected repository, open a minimal public issue that does not include exploit details, secrets, tokens, logs with private values, or step-by-step reproduction; ask a maintainer to enable a private reporting channel for the full report.

The active main branch and the public docs deployment are supported by default.

• Acknowledge valid private reports within 7 days when possible.
• Triage whether the issue exposes secrets, deployment details, or misleading security guidance.
• Prepare corrected documentation and disclosure notes before publishing details.